Yeh. It send through the key/values in HTTP POST and then you have the SQL and K/C's on the server, the SQL itself is not sent. Server passes them through as parameters to the Node.JS `pg` module so that takes care of defeating SQL injection.